Security Incidents mailing list archives
Intrusion=
From: "Harlan S. Barney, Jr." <hsbarney () NYCAP RR COM>
Date: Wed, 24 Jan 2001 14:36:16 -0500
I have detected an intrusion into my computer from within your system. This message is not from an auto-responder program. I report ALL intrusions and expect maximum penalties. I am using the BlackICE program. Record(s) from Attack-list.csv follow, date and time are GMT: Other information: I would appreciate knowing if the miscreant is identified and what punishment was delivered. I do not appreciate these intrusions and the effect they could potentially have on my computer system as well as my time I have to spend defending my computer system. I am willing to press charges. Harlan S. Barney, Jr. Scotia, NY Description of Attack-list.csv file follows: This file is in "CSV" (Comma Separated Value) format, and can be imported into spreadsheets and database programs for further processing. The columns are, from left to right: Severity This is a number from 1-99 that indicates the severity of an attack, where 1 is not very severe, and 99 is the most severe attack. Unfortunately, these levels do not have any precise meaning. Even an attack at level 1 may result in a compromise of the machine, whereas an attack at level 99 could be harmless. The assigned level is just a best-guess. Timestamp This indicates the time and date of the last time the attack occurred. Attacks are "coalesced", meaning that if the same attack occurs multiple times, earlier attacks are sometimes removed from the list and simply merged with the latest one. A count of the number of times an attack has occurred is kept in another column. This timestamp is kept in GMT (aka UTC), and is several hours off from the time you see in the user interface. The ISP will want to the time in this format so they don't have to worry about what timezone you are in. NOTE: the computer clock is updated daily from NIST. "issueId" A numeric identifier for this attack type. Each of the more than 250 attacks that BlackICE Defender detects is assigned a unique number. This number is used for all internal processing of events. This number may also be pasted at the end of the URL http://advice.networkice.com/advice/intrusions/ in order to get help on the event. "issueName" The name of the attack. Each of the unique "issueId" numbers has a name associated with it. Intruder's IP address The IP address of the attacker. Remember that IP addresses can sometimes be "spoofed" (forged), or that an intrusion may be a "false-positive", so there isn't a 100% chance that this is actually a hostile person. Intruder's name The name of the intruder. We scan both Internet databases like DNS as well as the attacker itself in order to find the "best-name" of the machine, then display it here. Victim's IP address This is the IP address of who the intruder was attacking. For example, if a user is running BlackICE Defender and gets attacked on a dial-up, then this will be the IP address assigned to that machine during that dialup session. "parameters" This contains some detailed information about the attack. For example, in a "TCP port probe" scan, this will contain a list of "ports" the attacker was scanning. The meaning of this information is documented in the "advICE" database. Count The number of times this attack was seen. Response Level Its various values can be: A: Blocked B: Attack was unsuccessful; BlackICE didn't have to block it C: Attach status unknown; BlackICE triggered protection measure; it's unlikely the system was compromised D: Attack possible; BlackICE triggered protection measure; attack may have compromised system E: Attack was successful; BlackICE could not block attack; system was compromised END OF MESSAGE
Current thread:
- Intrusion= Harlan S. Barney, Jr. (Jan 24)